Efficient packet handling, redirection, and inspection using offload processors

ABSTRACT

A packet handling system is disclosed that can include at least one main processor, a plurality of offload processors connected to a memory bus and configured to provide security related services on packets prior to redirection to the main processor; an arbiter connected to each of the plurality of offload processors, the arbiter capable of scheduling resource priority for instructions or data received from the memory bus; and a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, with the virtual switch capable of receiving memory read/write data over the memory bus, and further directing at least some memory read/write data to the arbiter.

PRIORITY CLAIMS

This application claims the benefit of U.S. Provisional PatentApplications 61/650,373 filed May 22, 2012, 61/753,892 filed on Jan. 17,2013, 61/753,895 filed on Jan. 17, 2013, 61/753,899 filed on Jan. 17,2013, 61/753,901 filed on Jan. 17, 2013, 61/753,903 filed on Jan. 17,2013, 61/753,904 filed on Jan. 17, 2013, 61/753,906 filed on Jan. 17,2013, 61/753,907 filed on Jan. 17, 2013, and 61/753,910 filed on Jan.17, 2013, the contents all of which are incorporated by referenceherein.

TECHNICAL FIELD

The present disclosure relates generally to servers capable ofefficiently handling routine packet inspection or other tasks withoutdirection from a main processor. More particularly, systems supportingoffload or auxiliary processing modules that can be physically connectedto a system memory bus to process packet data independent of a hostprocessor of the server are described.

BACKGROUND

Packet handling and security applications can require a significantamount of scarce computational resources in enterprise server or cloudbased data systems. These can include services such as packet repeaters,intrusion detection systems (IDS), intrusion protection systems (IPS),and routing mechanisms for virtual private networks (VPNs). Manyproprietary and incompatible hardware systems are available for suchpacket handling and transport services, but cost and a desire forstandardization pushes enterprise data storage and processing providerstoward software defined stacks running on commodity (e.g., x86architecture) hardware.

Unfortunately, processors based on x86 architectures are ill-equipped tohandle such high volume applications. Even idling, x86 processors use asignificant amount of power, and near continuous operation for highbandwidth packet analysis functionality make the processor energy costsone of the dominate price factors. In addition, issues with the highcost of context switching, the limited parallelism, and the securityimplications associated with running encryption/decryption modules onx86 processors have reduced the effectiveness of enterprise or clouddata security.

SUMMARY

A packet handling system can include at least one main processor, aplurality of offload processors connected to a memory bus and configuredto provide security related services on packets prior to redirection tothe main processor; an arbiter connected to each of the plurality ofoffload processors, the arbiter capable of scheduling resource priorityfor instructions or data received from the memory bus; and a virtualswitch respectively connected to the main processor and the plurality ofoffload processors using the memory bus, with the virtual switch capableof receiving memory read/write data over the memory bus, and furtherdirecting at least some memory read/write data to the arbiter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an embodiment with two computers which can be rack serversconnected over a network interface such as an Ethernet-type interface.

FIG. 2 shows module according to an embodiment (referred to as a XIMMmodule) in more detail acting as a part of the second server.

FIG. 3-1 illustrates an embodiment with software stacks respectivelyrunning on a XIMM module and an x86-based server processor.

FIG. 3-2 illustrates an embodiment with software stacks described inFIG. 3-1 operating in the context of two servers communicating over anEthernet-type connection

FIG. 4-1 shows a cartoon schematically illustrating a data processingsystem according to an embodiment, including a removable computationmodule for offload of data processing.

FIG. 4-2 shows an example layout of a XIMM module according to anembodiment.

FIG. 4-3 shows two possible architectures for a XIMM module in asimulation (Xockets MAX and MIN).

FIG. 4-4 shows a representative the power budget for an example of aXockets XIMM.

FIG. 4-5 illustrates data flow operations of one embodiment using an ARMA9 architecture according to an embodiment.

FIG. 5-1 is a block schematic diagram of a processing module accordingto an embodiment.

FIGS. 5-2 and 5-3 are diagrams of a processor module according toembodiments.

FIG. 5-4 is a diagram showing an opposing side of a processor modulelike that of FIG. 5-2 or 5-3, according to an embodiment.

FIG. 5-5 is a diagram of a system according to an embodiment.

FIGS. 5-6 to 5-11 are block schematic diagrams showing processor moduleoperations according to particular embodiments.

FIG. 5-12 is a flow diagram of a method according to an embodiment.

FIG. 5-13 is a flow diagram of a method according to another embodiment.

FIG. 6-1 is a block schematic diagram of a system according to anotherembodiment.

FIG. 6-2 is a diagram showing a system flow according to an embodiment.

DETAILED DESCRIPTION

Packet handling and security applications for enterprise server or cloudbased data systems can be efficiently implemented on offload processingmodules connected to a memory bus, for example, by insertion into asocket for a Dual In-line Memory Module (DIMM). Such modules can bereferred to as Xocket™ In-line Memory Modules (XIMMs), and can havemultiple “wimpy” cores associated with a memory channel. Using one ormore XIMMs it is possible to execute lightweight packet handling taskswithout intervention from a main server processor. As will be discussed,XIMM modules can have high efficiency context switching, highparallelism, and can solve security problems associated with runningencryption/decryption modules on x86 processors. Such systems as a wholeare able to handle high network bandwidth traffic at a lower latency andat a very low power when compared to traditional high power ‘brawny’server cores. XIMMs can provide services such as firewall packetrepeaters, intrusion detection systems (IDS), intrusion protectionsystems (IPS), and routing mechanisms for virtual private networks withlow power costs and high reliability.

FIG. 1 illustrates an embodiment with two computers which can be rackservers (100 a, 100 b) connected over a network interface such asEthernet (108). It is seen that both contain a central processing unit(104 a, 104 b), a network interface controller (106 a, 106 b) and anumber of connectors (102 a, 102 b, 102 c, 102 d, 102 e, 102 f) whichcan be dual-inline memory module (DIMM) connectors. It is further seenthat the second server (100 b) has a removable computation module (110)which can be inserted into one of the connector slots (102 d). In anexample, this computation module is a XIMM. Packets can be sentbi-directionally between the two servers, through the shown NICs andover the connection (108), and a variety of offload packet handlingservices can be performed by the XIMM in the second server, includingbut not limited to virtual private network (VPN) tunneling and signaturedetection and packet filtering as an intrusion prevention system (IPS).

FIG. 2 shows a different view of the XIMM module in the context of thesecond server shown above in FIG. 1. Network packets flow from atop-of-rack (TOR) switch (200) to the server, where a first virtualswitch (202), in this case a network interface card with single root IOvirtualization (SR-IOV), receives the packets and determines which XIMMmodule (206) to send them to. The packet is passed to the XIMM by way ofan input-out memory management unit (IOMMU 204). On the XIMM 206, afirst of a number of offload processors can act as a virtual switch(208).

The virtual switch 208 can be created with virtual switching softwaresuch as OpenFlow. OpenFlow is an open standard network protocol used tomanage traffic between commercial Ethernet switches, routers andwireless access points. OpenFlow enables software-defined networking(SDN) for programmable networks and typically emulates a hardwareEthernet switch. Using a configurable data flow table it is possible toconnect multiple switches and/or networks together to create a dataflow, and then flexibly managing the entire infrastructure, settingpolicies and managing traffic type as needed. It allows for deploymentof innovative routing and switching protocols in a network for manydifferent applications, including virtual machine and high-securitynetworks. The software stack running on a processor of the server alsoprovides control plane provisioning (216) which includes a variety ofpacket handling services including but not limited to virtual privatenetwork (VPN) encryption/decryption through an open source technologysuch as OpenVPN, as but one example. Upon receipt, a decrypted packet isarbitrated by said processor acting as a switch to a second of aplurality of other offload processors (210). The second offloadprocessor 210 can be running an operating system such as Apache, and mayutilize a software stack for packet handling services. It reassemblesdecrypted packet data and performs intrusion prevention systems (IPS)signature detection in order to detect malicious incoming packettraffic. Optionally, a connection can also be established between theXIMM 206 and another server processor (e.g., a x86 processor) (214)through a high speed bus. Packets may be sent to the x86 processor 214via a bus, including but limited to memory busses such as a double datarate (DDR, DDR2, DDR3, DDR4) bus. In this example, an Ethernet tunnel(212) exists over a DDR bus between the XIMM and the server's x86processor (214) for the transmission of packets or other informationbetween the two.

Advantageously, such a system can greatly improve computational andpower efficiency for management of simultaneously running IPS and VPNservices. Traditionally, IPS protocols require the assembly of data forsignature detection before traffic is allowed to access a server, butVPN protocols mandate decryption on the server to produce signaturedetection data. In practice, many cloud service providers are forced touse proprietary hardware or simply disallow IPS services to a servercore (limiting IPS to between an enterprise router and a gateway). Useof XIMMs allows the problems associated with simultaneous IPS and VPN tobe avoided, since signature detection can occur on the XIMM (forexample, with the aid of Advanced Encryption Standard (AES) coresimplementable on FPGA cores in a XIMM), while VPN interconnection ismaintained.

FIG. 3-1 illustrates exemplary software stacks respectively running on aXIMM and an x86-based server processor. A XIMM can include multipleoffload processors, and each of the offload processors on the XIMMs canhave an operating system such as Apache (300) which runs a stack ofsoftware for the packet handling services as described herein, orequivalents. One or more of the offload processors on the XIMM may bededicated to arbitrating packets between the other offload processors,and may utilize a virtual switching software such as OpenFlow to do so(310). An arbitrating processor can also provide header services (308)by classifying packets by session identifier in preparation forpacket-level applications such as signature detection and preprocessing.An arbitration processor can also manage VPN encryption and decryptionservices (302) using virtual private networking software such asOpenVPN. Input-output memory management software (e.g., IOMMU of 306)can be provided in order to facilitate safe sharing and usage ofphysical memory when the arbitration processor switches between virtualsessions for incoming packets. Direct memory access (e.g., R/DMA of 306)can allow for direct read/write to an internal memory of a XIMM. Queuingand reassembly functions (320) can take decrypted incoming fragments ofdata, assemble them into their original form and queue them forprocessing on one of multiple offload processors onboard the XIMM.Another software function can handle zero-overhead context switching(e.g., ZOCS of 304) in synergy with memory-mapped IO (e.g., MMIO of304). As packets belonging to different sessions ingress, the offloadprocessors can rapidly switch contexts and read from different parts ofmemory in order to service them. MMIO and ZOOS can also be crucial inhardware accelerating the signature detection in the IPS portion of theXockets stack, as the offload processors context switch between each ofthe input queues representing different signatures without incurringadditional overhead. The VPN/IPS services layer (302) provides thealgorithms for packet encryption and decryption, as well as signaturedetection for malicious packet traffic.

On the x86 server processor, an operating system is also present and canrun database and analytics software (318, 322), such as a Hadoop andMySQL as but two possible examples. A software hypervisor such asSessionVisor may run as well, providing virtualization services to aplurality of guest OS sessions (312). The hypervisor is responsible forthe provisioning of hardware resources to the guest sessions, and alsoruns virtual switching software such as OpenFlow for directing packetsto their destination sessions. An x86 software stack can also includeone or more software applications related to the XIMM. In the particularembodiment shown, two XIMM specific software applications are alsopresent. A software application socket (314) facilitates communicationbetween the CPU and the XIMM offload processors, and a NIC driver (316)provides Ethernet-over-DDR tunneling and packet transmission from theNIC to the XIMM.

FIG. 3-2 shows the software stacks described in FIG. 3-1 operating inthe context of two servers (340, 342) communicating over anEthernet-type connection (338). A packet is instantiated in the firstserver (342) and a kernel command (344) is given to send it through thesoftware stack and over the network. Memory mapped input-output (346)(MMIO) is used to write the packet data into a XIMM on the first server(348), and a software stack prepares the packet for transmission usingsecure socket layer (SSL) VPN encryption. A VPN tunnel is establishedbetween the two servers (350) and the packet is transmitted from thefirst server's NIC (352) over the network (338). Upon receipt of thepacket, the second server's NIC (352′) forwards it to a XIMM by way of acustom driver (334). The input-output memory management unit (332)(IOMMU) determines which session the packet belongs to and passes it tothe TCP offload stack (336) for header detection (330). An SSL servicesuch as OpenSSL (328) decrypts the packet under the control of VPNsoftware such as OpenVPN (326). An IPS software such as a Suricata (324)then performs signature detection on the packet in order to detect apossible threat, and upon clearance passes it to the kernel.

The following example(s) provide illustration and discussion ofexemplary hardware and data processing systems suitable forimplementation and operation of the foregoing discussed systems andmethods. In particular, hardware and operation of wimpy cores orcomputational elements connected to a memory bus and mounted in DIMM orother conventional memory socket is discussed.

FIG. 4-1 is a cartoon schematically illustrating a data processingsystem 400 including a removable computation module 402 for offload ofdata processing from x86 or similar main/server processors 403 to memorybus 405 connected modules, as described herein or equivalents. Suchmodules 402 can be XIMM modules as described herein, or an equivalent,and can have multiple computation elements that can be referred to as“offload processors” because they offload various “light touch”processing tasks from the main processors (or x86 server), including butnot limited to HTML, video, packet level services, security, or dataanalytics. This is of particular advantage for applications that requirefrequent random access or application context switching, since manyserver processors incur significant power usage or have data throughputlimitations that can be greatly reduced by transfer of the computationto lower power and more memory efficient offload processors.

The computation elements or offload processors are accessible throughmemory bus 405. In this embodiment, the module can be inserted into aDual Inline Memory Module (DIMM) slot on a commodity computer or serverusing a DIMM connector (407), providing a significant increase ineffective computing power to system 400. The XIMM may communicate withother components in the commodity computer or server via one of avariety of busses including but not limited to any version of existingdouble data rate standards (e.g., DDR, DDR2, DDR3, etc.)

This illustrated embodiment of the XIMM contains five offload processors(400 a, 400 b, 400 c, 400 d, 400 e) however other embodiments containinggreater or fewer numbers of processors are contemplated. The offloadprocessors can be custom manufactured or one of a variety of commodityprocessors including but not limited to field-programmable grid arrays(FPGA), microprocessors, reduced instruction set computers (RISC),microcontrollers or ARM processors. The computation elements or offloadprocessors can include combinations of computational FPGAs such as thosebased on Altera, Xilinx (e.g., Artix class), or Zynq architecture (e.g.,Zynq 7020), and/or conventional processors such as those based on IntelAtom or ARM architecture (e.g., ARM A9). For many applications, ARMprocessors having advanced memory handling features such as snoopcontrol unit (SCU) are preferred, since this allows coherent read andwrite of memory. Other preferred advanced memory features can includeprocessors that support an accelerator coherency port (ACP) that canallow for coherent supplementation of the cache through an FPGA fabricor computational element.

Each offload processor on the XIMM may run one of a variety of operatingsystems including but not limited to Apache or Linux. In addition, theoffload processors may have access to a plurality of dedicated or sharedstorage methods. In this embodiment, each offload processor connects totwo dedicated storage units (404 a, 404 b, 404 c, 404 d, 404 e) whichcan be of a variety of storage types, including but not limited torandom access memory (RAM), dynamic random access memory (DRAM),sequential access memory (SAM), static random access memory (SRAM),synchronous dynamic random access memory (SDRAM), reduced latencydynamic random access memory (RLDRAM), flash memory, or other emergingmemory standards such as those based on DDR4 or hybrid memory cubes(HMC).

FIG. 4-2 shows an example layout of a XIMM module such as that describedin FIG. 4-1, as well as a connectivity diagram between the components ofthe XIMM module. In this example, five Xilinx™ Zynq 7020 (416 a, 416 b,416 c, 416 d, 416 e) programmable systems-on-a-chip (SoC) are used ascomputational FPGAs/offload processors. These offload processorscommunicate with each other using memory-mapped input-output (MMIO)(412). The types of storage units used in this example are SDRAM (SD,one shown as 408) and RLDRAM (RLD, three shown as 406 a, 406 b, 406 c)and an Inphi™ iMB02 memory buffer 418. Down conversion of 3.3 V to 2.5volt is required to connect the RLDRAM with the Zynq components. Thecomponents are connected to the offload processors and to each other viaa DDR3 (414) memory bus. Advantageously, the indicated layout maximizesmemory resources availability without requiring a violation of thenumber of pins available under the DIMM standard.

In this embodiment, one of the Zynq computational FPGAs can act asarbiter providing a memory cache, giving an ability to have peer to peersharing of data (via memcached or OMQ memory formalisms) between theother Zynq computational FPGAs. All traffic departing for thecomputational FPGAs is controlled through memory mapped I/O. The arbiterqueues session data for use, and when a computational FPGA asks foraddress outside of the provided session, the arbiter is the first levelof retrieval, external processing determination, and predictors set.

FIG. 4-3 shows two possible architectures for a XIMM in a simulation(Xockets MAX and MIN). Xockets MIN (420 a) can be used in low-end publiccloud servers, containing twenty ARM cores (420 b) spread acrossfourteen DIMM slots in a commodity server which has two Opteron x86processors and two network interface cards (NICs) (420 c). Thisarchitecture provides a minimal benefit per Watt of power used. XocketsMAX (422 a) contains eighty ARM cores (422 b) across eight DIMM slots,in a server with two Opteron x86 processors and four NICs (422 c). Thisarchitecture can provide a maximum benefit per Watt of power used.

FIG. 4-4 shows a representative power budget for an example of a XIMMaccording to a particular embodiment. Each component is listed (424 a,424 b, 424 c, 424 d) along with its power profile. Average total andtotal wattages are also listed (426 a, 426 b). In total, especially forI/O packet processing with packet sizes on the order 1 KB in size, a lowaverage power budget that is easily able to be provided by the 22 V_(dd)pins per DIMM. Additionally, the expected thermal output can be handledby inexpensive conductive heat spreaders, without requiring additionalconvective, conductive, or thermoelectric cooling. In certainsituations, digital thermometers can be implemented to dynamicallyreduce performance (and consequent heat generation) if needed.

Operation of one embodiment of a XIMM module 430 using an ARM A9architecture is illustrated with respect to FIG. 4-5. Use of ARM A9architecture in conjunction with an FPGA fabric and memory, in this caseshown as reduced latency DRAM (RLDRAM), can simplify or makes possiblezero-overhead context switching, memory compression and CPI, in part byallowing hardware context switching synchronized with network queuing.In this way, there is a one to one mapping between thread and queues. Asillustrated, the ARM A9 architecture includes a Snoop Control Unit 432(SCU). This unit allows one to read out and write in memory coherently.Additionally, the Accelerator Coherency Port 434 (ACP) allows forcoherent supplementation of the cache throughout the FPGA 436. TheRLDRAM 438 provides the auxiliary bandwidth to read and write theping-pong cache supplement (435): Block1$ and Block2$ duringpacket-level meta-data processing.

The following table (Table 1) illustrates potential states that canexist in the scheduling of queues/threads to XIMM processors and memorysuch as illustrated in FIG. 4-5.

TABLE 1 Queue/Thread State HW treatment Waiting for Ingress All ingressdata has been processed and thread Packet awaits further communication.Waiting for MMIO A functional call to MM hardware (such as HW encryptionor transcoding) was made. Waiting for Rate-limit The thread's resourceconsumption exceeds limit, due to other connections idling. Currentlybeing One of the ARM cores is already processing this processed thread,cannot schedule again. Ready for Selection The thread is ready forcontext selection.

These states help coordinate the complex synchronization betweenprocesses, network traffic, and memory-mapped hardware. When a queue isselected by a traffic manager a pipeline coordinates swapping in thedesired L2 cache (440), transferring the reassembled IO data into thememory space of the executing process. In certain cases, no packets arepending in the queue, but computation is still pending to serviceprevious packets. Once this process makes a memory reference outside ofthe data swapped, a scheduler can require queued data from the networkinterface card (NIC) to continue scheduling the thread. To provide fairqueuing to a process not having data, the maximum context size isassumed as data processed. In this way, a queue must be provisioned asthe greater of computational resource and network bandwidth resource,for example, each as a ratio of an 800 MHz A9 and 3 Gbps of bandwidth.Given the lopsidedness of this ratio, the ARM core is generallyindicated to be worthwhile for computation having many parallel sessions(such that the hardware's prefetching of session-specific data andTCP/reassembly offloads a large portion of the CPU load) and thoserequiring minimal general purpose processing of data.

Essentially zero-overhead context switching is also possible using XIMMmodules as disclosed in FIG. 4-5. Because per packet processing hasminimum state associated with it, and represents inherent engineeredparallelism, minimal memory access is needed, aside from packetbuffering. On the other hand, after packet reconstruction, the entirememory state of the session can be accessed, and so requires maximalmemory utility. By using the time of packet-level processing to prefetchthe next hardware scheduled application-level service context in twodifferent processing passes, the memory can always be available forprefetching. Additionally, the FPGA 436 can hold a supplemental“ping-pong” cache (435) that is read and written with every contextswitch, while the other is in use. As previously noted, this is enabledin part by the SCU 432, which allows one to read out and write in memorycoherently, and ACP 434 for coherent supplementation of the cachethroughout the FPGA 436. The RLDRAM 438 provides for read and write tothe ping-pong cache supplement (435): Block1$ and Block2$ duringpacket-level meta-data processing. In the embodiment shown, only locallyterminating queues can prompt context switching.

In operation, metadata transport code can relieve a main or hostprocessor from tasks including fragmentation and reassembly, andchecksum and other metadata services (e.g., accounting, IPSec, SSL,Overlay, etc.). As IO data streams in and out, L1 cache 437 can befilled during packet processing. During a context switch, the lock-downportion of a translation lookaside buffer (TLB) of an L1 cache can berewritten with the addresses corresponding to the new context. In onevery particular implementation, the following four commands can beexecuted for the current memory space.

MRC p15,0,r0,c10,c0,0; read the lockdown register

BIC r0,r0,#1; clear preserve bit

MCR p15,0,r0,c10,c0,0; write to the lockdown register;

write to the old value to the memory mapped Block RAM

Bandwidths and capacities of the memories can be precisely allocated tosupport context switching as well as applications such as Openflowprocessing, billing, accounting, and header filtering programs.

For additional performance improvements, the ACP 434 can be used notjust for cache supplementation, but hardware functionalitysupplementation, in part by exploitation of the memory space allocation.An operand is written to memory and the new function called, throughcustomizing specific Open Source libraries, so putting the thread tosleep and the hardware scheduler validates it for scheduling again oncethe results are ready. For example, OpenVPN uses the OpenSSL library,where the encrypt/decrypt functions can be memory mapped. Large blocksare then available to be exported without delay, or consuming the L2cache 440, using the ACP. Hence, a minimum number of calls are neededwithin the processing window of a context switch, improving overallperformance.

FIG. 5-1 is a block diagram of a processing module 500 according toanother embodiment. A processing module 500 can be one implementation ofXIMM as described herein. A processing module 500 can include a physicalin-line module connector 502, a memory interface 504, arbiter logic 506,offload processor(s) 508, local memory 510, and control logic 512. Aconnector 502 can provide a physical connection to system memory bus.This is in contrast to a host processor which can access a system memorybus via a memory controller, or the like. In very particularembodiments, a connector 502 can be compatible with a dual in-linememory module (DIMM) slot of a computing system. Accordingly, a systemincluding multiple DIMM slots can be populated with one or moreprocessing modules 500, or a mix of processing modules and DIMM modules.

A memory interface 504 can detect data transfers on a system memory bus,and in appropriate cases, enable write data to be stored in theprocessing module 500 and/or read data to be read out from theprocessing module 500. In some embodiments, a memory interface 504 canbe a slave interface, thus data transfers are controlled by a masterdevice separate from the processing module. In very particularembodiments, a memory interface 504 can be a direct memory access (DMA)slave, to accommodate DMA transfers over a system memory initiated by aDMA master. Such a DMA master can be a device different from a hostprocessor. In such configurations, processing module 500 can receivedata for processing (e.g., DMA write), and transfer processed data out(e.g., DMA read) without consuming host processor resources.

Arbiter logic 506 can arbitrate between conflicting data accesses withinprocessing module 500. In some embodiments, arbiter logic 506 canarbitrate between accesses by offload processor 508 and accessesexternal to the processor module 500. It is understood that a processingmodule 500 can include multiple locations that are operated on at thesame time. It is also understood that accesses that are arbitrated byarbiter logic 506 can include accesses to physical system memory spaceoccupied by the processor module 500, as well as accesses to resources(e.g., processor resources). Accordingly, arbitration rules for arbiterlogic 506 can vary according to application. In some embodiments, sucharbitration rules are fixed for a given processor module 500. In suchcases, different applications can be accommodated by switching outdifferent processing modules. However, in alternate embodiments, sucharbitration rules can be configurable while the module is connected to adata bus.

Offload processor(s) 508 can include one or more processors that canoperate on data transferred over the system memory bus. In someembodiments, offload processors can run a general operating system,enabling processor contexts to be saved and retrieved. Computing tasksexecuted by offload processor 508 can be controlled by control logic512. Offload processor(s) 508 can operate on data buffered in theprocessing module 500. In addition or alternatively, offloadprocessor(s) 508 can access data stored elsewhere in a system memoryspace. In some embodiment, offload processor(s) 508 can include a cachememory configured to store context information. An offload processor(s)508 can include multiple cores or one core.

A processing module 500 can be included in a system having a hostprocessor (not shown). In some embodiments, offload processors 508 canbe a different type of processor as compared to the host processor. Inparticular embodiments, offload processors 508 can consume less powerand/or have less computing power than a host processor. In veryparticular embodiments, offload processors 508 can be “wimpy” coreprocessors, while a host processor can be a “brawny” core processor. Inalternate embodiments, offload processors 508 can have equivalent orgreater computing power than any host processor.

Local memory 510 can be connected to offload processor(s) 508 to enablethe storing of context information. Accordingly, offload processor(s)508 can store current context information, and then switch to a newcomputing task, then subsequently retrieve the context information toresume the prior task. In very particular embodiments, local memory 510can be a low latency memory with respect to other memories in a system.In some embodiments, storing of context information can include copyinga cache of an offload processor 508 to the local memory 510.

In some embodiments, a same space within local memory 510 is accessibleby multiple offload processors 508 of the same type. In this way, acontext stored by one offload processor can be resumed by a differentoffload processor.

Control logic 512 can control processing tasks executed by offloadprocessor(s) 508. In some embodiments, control logic 512 can beconsidered a hardware scheduler that can be conceptualized as includinga data evaluator 514, scheduler 516 and a switch controller 518. A dataevaluator 514 can extract “metadata” from write data transferred over asystem memory bus. “Metadata”, as used herein, can be any informationembedded at one or more predetermined locations of a block of write datathat indicates processing to be performed on all or a portion of theblock of write data. In some embodiments, metadata can be data thatindicates a higher level organization for the block of write data. Asbut one very particular embodiment, metadata can be header informationof network packet (which may or may not be encapsulated within a higherlayer packet structure).

A scheduler 516 can order computing tasks for offload processor(s) 508.In some embodiments, scheduler 516 can generate a schedule that iscontinually updated as write data for processing is received. In veryparticular embodiments, a scheduler 516 can generate such a schedulebased on the ability to switch contexts of offload processor(s) 508. Inthis way, module computing priorities can be adjusted on the fly. Invery particular embodiments, a scheduler 516 can assign a portion ofphysical address space to an offload processor 508, according tocomputing tasks. The offload processor 508 can then switch between suchdifferent spaces, saving context information prior to each switch, andsubsequently restoring context information when returning to the memoryspace.

Switch controller 518 can control computing operations of offloadprocessor(s) 508. In particular embodiments, according to scheduler 516,switch controller 518 can order offload processor(s) 510 to switchcontexts. It is understood that a context switch operation can be an“atomic” operation, executed in response to a single command from switchcontroller 518. In addition or alternatively, a switch controller 518can issue an instruction set that stores current context information,recalls context information, etc.

In some embodiments, processing module 500 can include a buffer memory(not shown). A buffer memory can store received write data on-board theprocessor module 500. A buffer memory can be implemented on an entirelydifferent set of memory devices, or can be a memory embedded with logicand/or the offload processor. In the latter case, arbiter logic 506 canarbitrate access to the buffer memory. In some embodiments, a buffermemory can correspond to a portion of a system physical memory space.The remaining portion of the system memory space can correspond to otherlike processor modules and/or memory modules connected to the samesystem memory bus. In some embodiments buffer memory can be differentthan local memory 510. For example, buffer memory can have a sloweraccess time than a local memory 510. However, in other embodiments,buffer memory and local memory can be implemented with like memorydevices.

In very particular embodiments, write data for processing can have anexpected maximum flow rate. A processor module 500 can be configured tooperate on such data at, or faster than, such a flow rate. In this way,a master device (not shown) can write data to a processor module withoutdanger of overwriting data “in process”.

The various computing elements of a processor module 500 can beimplemented as one or more integrated circuit devices (ICs). It isunderstood that the various components shown in FIG. 5-1 can be formedin the same or different ICs. For example, control logic 512, memoryinterface 514, and/or arbiter logic 506 can be implemented on one ormore logic ICs, while offload processor(s) 508 and local memory 510 areseparate ICs. Logic ICs can be fixed logic (e.g., application specificICs), programmable logic (e.g., field programmable gate arrays, FPGAs),or combinations thereof.

FIG. 5-2 shows a processor module 500-1 according to one very particularembodiment. A processor module 500-1 can include ICs 520-0/1 mounted toa printed circuit board (PCB) type substrate 522. PCB type substrate 522can include in-line module connection 502, which in one very particularembodiment can be a DIMM compatible connection. IC 520-0 can be asystem-on-chip (SoC) type device, integrating multiple functions. In thevery particular embodiment shown, an IC 520-0 can include embeddedprocessor(s), logic and memory. Such embedded processor(s) can beoffload processor(s) 508 as described herein, or equivalents. Such logiccan be any of controller logic 512, memory interface 504 and/or arbiterlogic 506, as described herein, or equivalents. Such memory can be anyof local memory 510, cache memory for offload processor(s) 508, orbuffer memory, as described herein, or equivalents. Logic IC 520-1 canprovide logic functions not included IC 520-0.

FIG. 5-3 shows a processor module 500-2 according to another veryparticular embodiment. A processor module 500-2 can include ICs 520-2,-3, -4, -5 mounted to a PCB type substrate 522, like that of FIG. 5-2.However, unlike FIG. 5-2, processor module functions are distributedamong single purpose type ICs. IC 520-2 can be a processor IC, which canbe an offload processor 508. IC 520-3 can be a memory IC which caninclude local memory 510, buffer memory, or combinations thereof. IC520-4 can be a logic IC which can include control logic 512, and in onevery particular embodiment, can be an FPGA. IC 520-5 can be anotherlogic IC which can include memory interface 504 and arbiter logic 506,and in one very particular embodiment, can also be an FPGA.

It is understood that FIGS. 5-2 and 5-3 represent but two of variousimplementations. The various functions of a processor module can bedistributed over any suitable number of ICs, including a single SoC typeIC.

FIG. 5-4 shows an opposing side of a processor module 500-3 according toa very particular embodiment. Processor module 500-3 can include anumber of memory ICs, one shown as 520-5, mounted to a PCB typesubstrate 522, like that of FIG. 5-2. It is understood that variousprocessing and logic components can be mounted on an opposing side tothat shown. Memory ICs 520-5 can be configured to represent a portion ofthe physical memory space of a system. Memory ICs 520-5 can perform anyor all of the following functions: operate independently of otherprocessor module components, providing system memory accessed in aconventional fashion; serve as buffer memory, storing write data thatcan be processed with other processor module components; or serve aslocal memory for storing processor context information.

FIG. 5-4 can also represent a conventional DIMM module (i.e., it servesonly a memory function) that can populate a memory bus along withprocessor modules as described herein, or equivalents.

FIG. 5-5 shows a system 530 according to one embodiment. A system 530can include a system memory bus 528 accessible via multiple in-linemodule slots (one shown as 526). According to embodiments, any or all ofthe slots 526 can be occupied by a processor module 500 as describedherein, or an equivalent. In the event all slots 526 are not occupied bya processor module 500, available slots can be occupied by conventionalin-line memory modules 524. In a very particular embodiment, slots 526can be DIMM slots.

In some embodiments, a processor module 500 can occupy one slot.However, in other embodiments, a processor module can occupy multipleslots (i.e., include more than one connection). In some embodiments, asystem memory bus 528 can be further interfaced with one or more hostprocessors and/or input/output devices (not shown).

Having described processor modules according to various embodiments,operations of a processor module according to particular embodimentswill now be described. FIGS. 5-6 to 5-11 show processor moduleoperations according to various embodiments. FIGS. 5-1-06 to 5-1-511show a processor module like that of FIG. 5-1, along with a systemmemory bus 528, and a buffer memory 532. It is understood that in someembodiments, a buffer memory 532 can part of processor module 500. Insuch a case, arbitration between accesses via system memory 528 andoffload processors can be controlled by arbiter logic 506.

Referring to FIG. 5-6, write data 534-0 can be received on system memorybus 528 (circle “1”). In some embodiments, such an action can includethe writing of data to a particular physical address space range of asystem memory. In a very particular embodiment, such an action can be aDMA write independent of any host processor. Write data 534-0 caninclude metadata (MD) as well as data to be processed (Data). In theembodiment shown, write data 534-0 can correspond to a particularprocessing operation (Session0).

Control logic 512 can access metadata (MD) of the write data 534-0 todetermine a type of processing to be performed (circle “2”). In someembodiments, such an action can include a direct read from a physicaladdress (i.e., MD location is at a predetermined location). In additionor alternatively, such an action can be an indirect read (i.e., MD isaccessed via pointer, or the like). The action shown by circle “2” canbe performed by any of: a read by control logic 512 or read by anoffload processor 508. From extracted metadata, scheduler 516 can createa processing schedule, or modify an existing schedule to accommodate thenew computing task (circle “3”).

Referring to FIG. 5-7, in response to a scheduler 516, switch controller518 can direct one or more offload processors 508 be begin processingdata according to MD of the write data (circles “4”, “5”). Suchprocessing of data can include any of the following and equivalents:offload processor 508 can process write data stored in a buffer memoryof the processor module 500, with accesses being arbitrated by arbiterlogic 506; offload processor 508 can operate on data previouslyreceived; offload processor 508 can receive and operation on data storedat a location different than the processor module 500.

Referring to FIG. 5-8, additional write data 534-1 can be received onsystem memory bus 528 (circle “6”). Write data 534-1 can include MD thatindicates a different processing operation (Session1) than that forwrite data 534-0. Control logic 512 can access metadata (MD) of the newwrite data 534-1 to determine a type of processing to be performed(circle “7”). From extracted metadata, scheduler 516 can modify thecurrent schedule to accommodate the new computing task (circle “8”). Inthe particular example shown, the modified schedule re-tasks offloadprocessor(s) 508. Thus, switch controller 518 can direct an offloadprocessor 508 to store its current context (ContextA) in local memory510 (circle “9”).

Referring to FIG. 5-9, in response to switch controller 518, offloadprocessor(s) 508 can begin the new processing task (circle “10”).Consequently, offload processor(s) 508 can maintain a new context(ContextB) corresponding to the new processing task.

Referring to FIG. 5-10, a processing task by offload processor 508 canbe completed. In the very particular embodiment shown, such processingcan modify write data (534-1) and such modified data 534-1′ can be readout over system memory bus 528 (circle “11”). In response to thecompletion of processing task, scheduler 516 can update a schedule. Inthe example shown, in response to the updated schedule, switchcontroller 518 can direct offload processor(s) 508 to restore thepreviously saved context (ContextA) from local memory 510 (circle “12”).As understood from above, in some particular embodiments, a restoredcontext (e.g., ContextA) may have been stored by an offload processordifferent from the one that saved the context in the first place.

Referring to FIG. 5-11, with a previous context restored, offloadprocessor(s) 508 can return to processing data according to the previoustask (Session0) (circle “13”).

FIG. 5-12 shows a method 540 according an embodiment. A method 540 caninclude detecting the write of session data to a system memory with anin-line module slave interface 542. Such an action can includedetermining if received write data has metadata (i.e., data identifyinga particular processing). It is understood that “session data” is datacorresponding to a particular processing task. Further, it is understoodthat MD accompanying (or embedded within) session data can identify thepriority of a session with respect to other sessions.

A method 540 can determine if current offload processing is sufficientfor a new session or change of session 544. Such an action take intoaccount a processing time required for any current sessions.

If current processing resources can accommodate new session requirements(Y from 544), a hardware schedule (schedule for controlling offloadprocessor(s)) can be revised and the new session can be assigned to anoffload processor. If current processing resources cannot accommodatenew session requirements (N from 544), one or more offload processorscan be selected for re-tasking (e.g., a context switch) 550 and thehardware schedule can be modified accordingly 552. The selected offloadprocessors can save their current context data 554 and then switch tothe new session 556.

FIG. 5-13 shows a method 560 according another embodiment. A method 560can include determining if a computing session for an offload processoris complete 562 or has been terminated 564. In such cases (Y from562/564), it can be determined if the free in-line module offloadprocessor (i.e., an offload processor whose session iscomplete/terminated) has a stored context 566. That is, it can bedetermined if the free processor was previously operating on a session.

If a free offload processor was operating according to another session(Y from 566), the offload processor can restore the previous context568. If a free offload processor has no stored context, it can beassigned to an existing session (if possible) 570. An existing hardwareschedule can be updated correspondingly 572.

Processor modules according to embodiments herein can be employed toaccomplish various processing tasks. According to some embodiments,processor modules can be attached to a system memory bus to operate onnetwork packet data. Such embodiments will now be described.

FIG. 6-1 shows a system 601 that can transport packet data to one ormore computational units (one shown as 600) located on a module, whichin particular embodiments, can include a connector compatible with anexisting memory module. In some embodiments, a computational unit 600can include a processor module (e.g., XIMM) as described in embodimentsherein, or an equivalent. A computational unit 600 can be capable ofintercepting or otherwise accessing packets sent over a memory bus 616and carrying out processing on such packets, including but not limitedto termination or metadata processing. A system memory bus 616 can be asystem memory bus like those described herein, or equivalents (e.g.,528).

According to some embodiments, packets corresponding to a particularflow can be transported to a storage location accessible by, or includedwithin computational unit 600. Such transportation can occur withoutconsuming resources of a host processor module 606 c connected to memorybus 616. In particular embodiments, such transport can occur withoutinterrupting the host processor module 606 c. In such an arrangement, ahost processor module 606 c does not have to handle incoming flows.Incoming flows can be directed to computational unit 600, which inparticular embodiments can include one or more general purposeprocessors 608 i. Such general purpose processors 608 i can be capableof running code for terminating incoming flows.

In one very particular embodiment, a general purpose processor 608 i canrun code for terminating particular network flow session types, such asApache video sessions, as but one example.

In addition or alternatively, a general purpose processor 608 i canprocess metadata of a packet. In such embodiments, such metadata caninclude one or more fields of a header for the packet, or a headerencapsulated further within the packet.

Referring still to FIG. 6-1, according to embodiments, a system 601 cancarry out any of the following functions: 1) transport packets of a flowto a destination occupied by, or accessible by, a computational unit 600without interrupting a host processor module 606 c; 2) transport packetsto an offload processor 608 i capable of terminating session flows(i.e., the offload processor is responsible for terminating sessionflows); 3) transport packets to a midplane switch that can process themetadata associated with a packet and make a switching decision; or 4)provide a novel high speed packet terminating system.

Conventional packet processing systems can utilize host processors forpacket termination. However, due to the context switching involved inhandling multiple sessions, conventional approaches require significantprocessing overhead for such context switching, and can incur memoryaccess and network stack delay.

In contrast to conventional approaches, embodiments as disclosed hereincan enable high speed packet termination by reducing context switchoverhead of a host processor. Embodiments can provide any of thefollowing functions: 1) offload computation tasks to one or moreprocessors via a system memory bus, without the knowledge of the hostprocessor, or significant host processor involvement; 2) interconnectservers in a rack or amongst racks by employing offload processors asswitches; or 3) use I/O virtualization to redirect incoming packets todifferent offload processors.

Referring still to FIG. 6-1, a system 601 can include an I/O device 602which can receive packet or other I/O data from an external source. Insome embodiments I/O device 602 can include physical or virtualfunctions generated by the physical device to receive a packet or otherI/O data from the network or another computer or virtual machine. In thevery particular embodiment shown, an I/O device 602 can include anetwork interface card (NIC) having input buffer 602 a (e.g., DMA ringbuffer) and an I/O virtualization function 602 b.

According to embodiments, an I/O device 602 can write a descriptorincluding details of the necessary memory operation for the packet (i.e.read/write, source/destination). Such a descriptor can be assigned avirtual memory location (e.g., by an operating system of the system601). I/O device 602 can communicate with an input output memorymanagement unit (IOMMU) 604 which can translate virtual addresses tocorresponding physical addresses. In the particular embodiment shown, atranslation look-aside buffer (TLB) 604 a can be used for suchtranslation. Virtual function reads or writes data between I/O deviceand system memory locations can then be executed with a direct memorytransfer (e.g., DMA) via a memory controller 606 b of the system 601. AnI/O device 602 can be connected to IOMMU 604 b by a host bus 612. In onevery particular embodiment, a host bus 612 can be a peripheralinterconnect (PCI) type bus. IOMMU 604 b can be connected to a hostprocessing section 606 at a central processing unit I/O (CPUIO) 606 a.In the embodiment shown, such a connection 664 can support aHyperTransport (HT) protocol.

In the embodiment shown, a host processing section 606 can include theCPUIO 606 a, memory controller 606 b, host processor module 606 c andcorresponding provisioning agent 606 d.

In particular embodiments, a computational unit 600 can interface withthe system bus 616 via standard in-line module connection, which in veryparticular embodiments can include a DIMM type slot. In the embodimentshown, a memory bus 616 can be a DDR3 type memory bus, however alternateembodiments can include any suitable system memory bus. Packet data canbe sent by memory controller 606 b to via memory bus 616 to a DMA slaveinterface 610 a. DMA slave interface 610 a can be adapted to receiveencapsulated read/write instructions from a DMA write over the memorybus 616.

A hardware scheduler (608 b/c/d/e/h) can perform traffic management onincoming packets by categorizing them according to flow using sessionmetadata. Packets can be queued for output in an onboard memory (610b/608 a/608 m) based on session priority. When the hardware schedulerdetermines that a packet for a particular session is ready to beprocessed by the offload processor 608 i, the onboard memory is signaledfor a context switch to that session. Utilizing this method ofprioritization, context switching overhead can be reduced, as comparedto conventional approaches. That is, a hardware scheduler can handlecontext switching decisions and thus optimizing the performance of thedownstream resource (e.g., offload processor 608 i).

As noted above, in very particular embodiments, an offload processor 608i can be a “wimpy” core type processor. According to some embodiments, ahost processor module 606 c can include a “brawny” core type processor(e.g., an x86 or any other processor capable of handling “heavy touch”computational operations). While an I/O device 602 can be configured totrigger host processor interrupts in response to incoming packets,according to embodiments, such interrupts can be disabled, therebyreducing processing overhead for the host processor module 606 c. Insome very particular embodiments, an offload processor 608 i can includean ARM, ARC, Tensilica, MIPS, Strong/ARM or any other processor capableof handling “light touch” operations. Preferably, an offload processorcan run a general purpose operating system for executing a plurality ofsessions, which can be optimized to work in conjunction with thehardware scheduler in order to reduce context switching overhead.

Referring still to FIG. 6-1, in operation, a system 601 can receivepackets from an external network over a network interface. The packetscan be directed for processing by either a host processor module 606 cor an offload processor 608 i based on the classification logic andschematics employed by I/O device 602. In particular embodiments, I/Odevice 602 can operate as a virtualized NIC, with packets for aparticular logical network or to a certain virtual MAC (VMAC) addressbeing directed into separate queues and sent over to the destinationlogical entity. Such an arrangement can transfer packets to differententities. In some embodiments, each such entity can have a virtualdriver, a virtual device model that it uses to communicate with virtualnetwork interfaces it is connected to.

According to embodiments, multiple devices can be used to redirecttraffic to specific memory addresses. So, each of the network devicesoperates as if it is transferring the packets to the memory location ofa logical entity. However, in reality, such packets can be transferredto memory addresses where they can be handled by one or more offloadprocessors. In particular embodiments such transfers are to physicalmemory addresses, thus logical entities can be removed from theprocessing, and a host processor can be free from such packet handling.

Accordingly, embodiments can be conceptualized as providing a memory“black box” to which specific network data can be fed. Such a memoryblack box can handle the data (e.g., process it) and respond back whensuch data is requested.

Referring still to FIG. 6-1, according to some embodiments, I/O device602 can receive data packets from a network or from a computing device.The data packets can have certain characteristics, including transportprotocol number, source and destination port numbers, source anddestination IP addresses, for example. The data packets can further havemetadata that is processed (608 d) that helps in their classificationand management.

I/O device 602 can include, but is not limited to, peripheral componentinterconnect (PCI) and/or PCI express (PCIe) devices connecting withhost motherboard via PCI or PCIe bus (e.g., 612). Examples of I/Odevices include a network interface controller (NIC), a host busadapter, a converged network adapter, an ATM network interface etc.

In order to provide for an abstraction scheme that allows multiplelogical entities to access the same I/O device 602, the I/O device maybe virtualized to provide for multiple virtual devices each of which canperform some of the functions of the physical I/O device. The IOvirtualization program, according to an embodiment, can redirect trafficto different memory locations (and thus to different offload processorsattached to modules on a memory bus). To achieve this an I/O device 602(e.g., a network card) may be partitioned into several function parts;including controlling function (CF) supporting input/outputvirtualization (IOV) architecture (e.g., single-root IOV) and multiplevirtual function (VF) interfaces. Each virtual function interface may beprovided with resources during runtime for dedicated usage. Examples ofthe CF and VF may include the physical function and virtual functionsunder schemes such as Single Root I/O Virtualization or Multi-Root I/OVirtualization architecture. The CF acts as the physical resources thatsets up and manages virtual resources. The CF is also capable of actingas a full-fledged IO device. The VF is responsible for providing anabstraction of a virtual device for communication with multiple logicalentities/multiple memory regions.

The operating system/the hypervisor/any of the virtual machines/usercode running on a host processor module 606 c may be loaded with adevice model, a VF driver and a driver for a CF. The device model may beused to create an emulation of a physical device for the host processor606 c to recognize each of the multiple VFs that are created. The devicemodel may be replicated multiple times to give the impression to a VFdriver (a driver that interacts with a virtual IO device) that it isinteracting with a physical device of a particular type.

For example, a certain device module may be used to emulate a networkadapter such as the Intel® Ethernet Converged Network Adapter (CNA)X540-T2, so that the I/O device 602 believes it is interacting with suchan adapter. In such a case, each of the virtual functions may have thecapability to support the functions of the above said CNA, i.e., each ofthe Physical Functions should be able to support such functionality. Thedevice model and the VF driver can be run in either privileged ornon-privileged modes. In some embodiments, there is no restriction withregard to who hosts/runs the code corresponding to the device model andthe VF driver. The code, however, has the capability to create multiplecopies of device model and VF driver so as to enable multiple copies ofsaid I/O interface to be created.

An application or provisioning agent 606 d, as part of anapplication/user level code running in a kernel, may create a virtualI/O address space for each VF during runtime and allocate part of thephysical address space to it. For example, if an application handlingthe VF driver instructs it to read or write packets from or to memoryaddresses 0xaaaa to 0xffff, the device driver may write I/O descriptorsinto a descriptor queue with a head and tail pointer that are changeddynamically as queue entries are filled. The data structure may be ofanother type as well, including but not limited to a ring structure 602a or hash table.

The VF can read from or write data to the address location pointed to bythe driver (and hence to a computational unit 600). Further, oncompleting the transfer of data to the address space allocated to thedriver, interrupts, which are usually triggered to the host processor tohandle said network packets, can be disabled. Allocating a specific I/Ospace to a device can include allocating said IO space a specificphysical memory space occupied.

In another embodiment, the descriptor may comprise only a writeoperation, if the descriptor is associated with a specific datastructure for handling incoming packets. Further, the descriptor foreach of the entries in the incoming data structure may be constant so asto redirect all data write to a specific memory location. In analternate embodiment, the descriptor for consecutive entries may pointto consecutive entries in memory so as to direct incoming packets toconsecutive memory locations.

Alternatively, said operating system may create a defined physicaladdress space for an application supporting the VF drivers and allocatea virtual memory address space to the application or provisioning agent606 d, thereby creating a mapping for each virtual function between saidvirtual address and a physical address space. Said mapping betweenvirtual memory address space and physical memory space may be stored inIOMMU tables 604 a. The application performing memory reads or writesmay supply virtual addresses to say virtual function, and the hostprocessor OS may allocate a specific part of the physical memorylocation to such an application.

Alternatively, VF may be configured to generate requests such as readand write which may be part of a direct memory access (DMA) read orwrite operation, for example. The virtual addresses is be translated bythe IOMMU 604 b to their corresponding physical addresses and thephysical addresses may be provided to the memory controller for access.That is, the IOMMU 604 b may modify the memory requests sourced by theI/O devices to change the virtual address in the request to a physicaladdress, and the memory request may be forwarded to the memorycontroller for memory access. The memory request may be forwarded over abus 614. The VF may in such cases carry out a direct memory access bysupplying the virtual memory address to the IOMMU 604 b.

Alternatively, said application may directly code the physical addressinto the VF descriptors if the VF allows for it. If the VF cannotsupport physical addresses of the form used by the host processor 606 c,an aperture with a hardware size supported by the VF device may be codedinto the descriptor so that the VF is informed of the target hardwareaddress of the device. Data that is transferred to an aperture may bemapped by a translation table to a defined physical address space in thesystem memory. The DMA operations may be initiated by software executedby the processors, programming the I/O devices directly or indirectly toperform the DMA operations.

Referring still to FIG. 6-1, in particular embodiments, parts ofcomputational unit 600 can be implemented with one or more FPGAs. In thesystem of FIG. 6-1, computational unit 600 can include FPGA 610 in whichcan be formed a DMA slave device module 610 a and arbiter 610 f. A DMAslave module 610 a can be any device suitable for attachment to a memorybus 616 that can respond to DMA read/write requests. In alternateembodiments, a DMA slave module 610 a can be another interface capableof block data transfers over memory bus 616. The DMA slave module 610 acan be capable of receiving data from a DMA controller (when it performsa read from a ‘memory’ or from a peripheral) or transferring data to aDMA controller (when it performs a write instruction on the DMA slavemodule 610 a). The DMA slave module 610 a may be adapted to receive DMAread and write instructions encapsulated over a memory bus, (e.g., inthe form of a DDR data transmission, such as a packet or data burst), orany other format that can be sent over the corresponding memory bus.

A DMA slave module 610 a can reconstruct the DMA read/write instructionfrom the memory R/W packet. The DMA slave module 610 a may be adapted torespond to these instructions in the form of data reads/data writes to aDMA master, which could either be housed in a peripheral device, in thecase of a PCIe bus, or a system DMA controller in the case of an ISAbus.

I/O data that is received by the DMA device 610 a can then be queued forarbitration. Arbitration is the process of scheduling packets ofdifferent flows, such that they are provided access to availablebandwidth based on a number of parameters. In general, an arbiterprovides resource access to one or more requestors. If multiplerequestors request access, an arbiter 610 f can determine whichrequestor becomes the accessor and then passes data from the accessor tothe resource interface, and the downstream resource can begin executionon the data. After the data has been completely transferred to aresource, and the resource has competed execution, the arbiter 610 f cantransfer control to a different requestor and this cycle repeats for allavailable requestors. In the embodiment of FIG. 6-1, arbiter 610 f cannotify other portions of computational unit 600 (e.g., 608) of incomingdata.

Alternatively, a computation unit 600 can utilize an arbitration schemeshown in U.S. Pat. No. 7,863,283, issued to Dalal on Oct. 62, 2010, thecontents of which are incorporated herein by reference. Other suitablearbitration schemes known in art could be implemented in embodimentsherein. Alternatively, the arbitration scheme for an embodiment can bean OpenFlow switch and an OpenFlow controller.

In the very particular embodiment of FIG. 6-1, computational unit 600can further include notify/prefetch circuits 610 c which can prefetchdata stored in a buffer memory 610 b in response to DMA slave module 610a, and as arbitrated by arbiter 610 f. Further, arbiter 610 f can accessother portions of the computational unit 600 via a memory mapped I/Oingress path 610 e and egress path 610 g.

Referring to FIG. 6-1, a hardware scheduler can include a schedulingcircuit 608 b/n to implement traffic management of incoming packets.Packets from a certain source, relating to a certain traffic class,pertaining to a specific application or flowing to a certain socket arereferred to as part of a session flow and are classified using sessionmetadata. Such classification can be performed by classifier 608 e.

In some embodiments, session metadata 608 d can serve as the criterionby which packets are prioritized and scheduled and as such, incomingpackets can be reordered based on their session metadata. Thisreordering of packets can occur in one or more buffers and can modifythe traffic shape of these flows. The scheduling discipline chosen forthis prioritization, or traffic management (TM), can affect the trafficshape of flows and micro-flows through delay (buffering), bursting oftraffic (buffering and bursting), smoothing of traffic (buffering andrate-limiting flows), dropping traffic (choosing data to discard so asto avoid exhausting the buffer), delay jitter (temporally shifting cellsof a flow by different amounts) and by not admitting a connection (e.g.,cannot simultaneously guarantee existing service (SLAs) with anadditional flow's SLA).

According to embodiments, computational unit 600 can serve as part of aswitch fabric, and provide traffic management with depth-limited outputqueues, the access to which is arbitrated by a scheduling circuit 608b/n. Such output queues are managed using a scheduling discipline toprovide traffic management for incoming flows. The session flows queuedin each of these queues can be sent out through an output port to adownstream network element.

It is noted that some conventional traffic management circuits do nottake into account the handling and management of data by downstreamelements except for meeting the SLA agreements it already has with saiddownstream elements. In contrast, according to embodiments, a schedulercircuit 608 b/n can allocate a priority to each of the output queues andcarry out reordering of incoming packets to maintain persistence ofsession flows in these queues. A scheduler circuit 608 b/n can be usedto control the scheduling of each of these persistent sessions into ageneral purpose operating system (OS) 608 j, executed on an offloadprocessor 608 i. Packets of a particular session flow, as defined above,can belong to a particular queue. The scheduler circuit 608 b/n maycontrol the prioritization of these queues such that they are arbitratedfor handling by a general purpose (GP) processing resource (e.g.,offload processor 608 i) located downstream. An OS 608 j running on adownstream processor 608 i can allocate execution resources such asprocessor cycles and memory to a particular queue it is currentlyhandling. The OS 608 j may further allocate a thread or a group ofthreads for that particular queue, so that it is handled distinctly bythe general purpose processing element 608 i as a separate entity. Thus,in some embodiments there can be multiple sessions running on a GPprocessing resource, each handling data from a particular session flowresident in a queue established by the scheduler circuit, to tightlyintegrate the scheduler and the downstream resource (e.g., 608 i). Thiscan bring about persistence of session information across the trafficmanagement and scheduling circuit and the general purpose processingresource 608 j.

Dedicated computing resources (e.g., 608 i), memory space and sessioncontext information for each of the sessions can provide a way ofhandling, processing and/or terminating each of the session flows at thegeneral purpose processor 608 i. The scheduler circuit 608 b/n canexploit this functionality of the execution resource to queue sessionflows for scheduling downstream. For example, the scheduler circuit 608b/n can be informed of the state of the execution resource(s) (e.g., 608i), the current session that is run on the execution resource; thememory space allocated to it, the location of the session context in theprocessor cache.

According to embodiments, a scheduler circuit 608 b/n can furtherinclude switching circuits to change execution resources from one stateto another. The scheduler circuit 608 b/n can use such a capability toarbitrate between the queues that are ready to be switched into thedownstream execution resource. Further, the downstream executionresource can be optimized to reduce the penalty and overhead associatedwith context switch between resources. This is further exploited by thescheduler circuit 608 b/n to carry out seamless switching betweenqueues, and consequently their execution as different sessions by theexecution resource.

A scheduler circuit 608 b/n according to embodiments can scheduledifferent sessions on a downstream processing resource, wherein the twoare operated in coordination to reduce the overhead during contextswitches. An important factor to decreasing the latency of services andengineering computational availability can be hardware context switchingsynchronized with network queuing. In embodiments, when a queue isselected by a traffic manager, a pipeline coordinates swapping in of thecache (e.g., L2 cache) of the corresponding resource and transfers thereassembled I/O data into the memory space of the executing process. Incertain cases, no packets are pending in the queue, but computation isstill pending to service previous packets. Once this process makes amemory reference outside of the data swapped, the scheduler circuit canenable queued data from an I/O device 602 to continue scheduling thethread.

In some embodiments, to provide fair queuing to a process not havingdata, a maximum context size can be assumed as data processed. In thisway, a queue can be provisioned as the greater of computational resourceand network bandwidth resource. As but one very particular example, acomputation resource can be an ARM A9 processor running at 800 MHz,while a network bandwidth can be 3 Gbps of bandwidth. Given the lopsidednature of this ratio, embodiments can utilize computation having manyparallel sessions (such that the hardware's prefetching ofsession-specific data offloads a large portion of the host processorload) and having minimal general purpose processing of data.

Accordingly, in some embodiments, a scheduler circuit 608 b/n can beconceptualized as arbitrating, not between outgoing queues at line ratespeeds, but arbitrating between terminated sessions at very high speeds.The stickiness of sessions across a pipeline of stages, including ageneral purpose OS, can be a scheduler circuit optimizing any or allsuch stages of such a pipeline.

Alternatively, a scheduling scheme can be used as shown in U.S. Pat. No.7,760,765 issued to Dalal on Jul. 20, 2010, incorporated herein byreference. This scheme can be useful when it is desirable to rate limitthe flows for preventing the downstream congestion of another resourcespecific to the over-selected flow, or for enforcing service contractsfor particular flows. Embodiments can include arbitration scheme thatallows for service contracts of downstream resources, such as generalpurpose OS that can be enforced seamlessly.

Referring still to FIG. 6-1, a hardware scheduler according toembodiments herein, or equivalents, can provide for the classificationof incoming packet data into session flows based on session metadata. Itcan further provide for traffic management of these flows before theyare arbitrated and queued as distinct processing entities on the offloadprocessors.

In some embodiments, offload processors (e.g., 608 i) can be generalpurpose processing units capable of handling packets of differentapplication or transport sessions. Such offload processors can be lowpower processors capable of executing general purpose instructions. Theoffload processors could be any suitable processor, including but notlimited to: ARM, ARC, Tensilica, MIPS, StrongARM or any other processorthat serves the functions described herein. The offload processors havegeneral purpose OS running on them, wherein the general purpose OS isoptimized to reduce the penalty associated with context switchingbetween different threads or group of threads.

In contrast, context switches on host processors can be computationallyintensive processes that require the register save area, process contextin the cache and TLB entries to be restored if they are invalidated oroverwritten. Instruction Cache misses in host processing systems canlead to pipeline stalls and data cache misses lead to operation stalland such cache misses reduce processor efficiency and increase processoroverhead.

According to embodiments, an OS 608 j running on the offload processors608 i in association with a scheduler circuit, can operate together toreduce the context switch overhead incurred between different processingentities running on it. Embodiments can include a cooperative mechanismbetween a scheduler circuit and the OS on the offload processor 608 i,wherein the OS sets up session context to be physically contiguous(physically colored allocator for session heap and stack) in the cache;then communicates the session color, size, and starting physical addressto the scheduler circuit upon session initialization. During an actualcontext switch, a scheduler circuit can identify the session context inthe cache by using these parameters and initiate a bulk transfer ofthese contents to an external low latency memory. In addition, thescheduler circuit can manage the prefetch of the old session if itscontext was saved to a local memory 608 m. In particular embodiments, alocal memory 608 m can be low latency memory, such as a reduced latencydynamic random access memory (RLDRAM), as but one very particularembodiment. Thus, in embodiments, session context can be identifieddistinctly in the cache.

In some embodiments, context size can be limited to ensure fastswitching speeds. In addition or alternatively, embodiments can includea bulk transfer mechanism to transfer out session context to a localmemory 608 m. The cache contents stored therein can then be retrievedand prefetched during context switch back to a previous session.Different context session data can be tagged and/or identified withinthe local memory 608 m for fast retrieval. As noted above, contextstored by one offload processor may be recalled by a different offloadprocessor.

In the very particular embodiment of FIG. 6-1 multiple offloadprocessing cores can be integrated into a computation FPGA 608. Multiplecomputational FPGAs can be arbitrated by arbitrator circuits in anotherFPGA 610. The combination of computational FPGAs (e.g., 608) and arbiterFPGAs (e.g., 610) can be one implementation of a XIMM module. Inparticular applications, these XIMM modules can provide integratedtraffic and thread management circuits that broker execution of multiplesessions on the offload processors.

FIG. 6-2 shows a system flow according to an embodiment. Packet or otherI/O data can be received at an I/O device 620. An I/O device 620 can bephysical device, virtual device or combination thereof. Interruptsgenerated from the I/O data, that would conventionally be intended for ahost processor 624, can be disabled, allowing such I/O data to beprocessed without resources of the host processor 624.

An IOMMU 621 can map received data to physical addresses of a systemaddress space. DMA master 625 can transmit such data to such memoryaddresses by operation of a memory controller 622. Memory controller 622can execute DRAM transfers over a memory bus with a DMA Slave 627. Uponreceiving transferred I/O data, a hardware scheduler 623 can scheduleprocessing of such data with an offload processor 624. In someembodiments, a type of processing can be indicated by metadata withinthe I/O data. Further, in some embodiments such data can be stored in anOnboard Memory 629. According to instructions from hardware scheduler623, one or more offload processors 624 can execute computing functionsin response to the I/O data. In some embodiments, such computingfunctions can operate on the I/O data, and such data can be subsequentlyread out on memory bus via a read request processed by DMA Slave 627.

It should be appreciated that in the foregoing description of exemplaryembodiments of the invention, various features of the invention aresometimes grouped together in a single embodiment, figure, ordescription thereof for the purpose of streamlining the disclosureaiding in the understanding of one or more of the various inventiveaspects. This method of disclosure, however, is not to be interpreted asreflecting an intention that the claimed invention requires morefeatures than are expressly recited in each claim. Rather, as thefollowing claims reflect, inventive aspects lie in less than allfeatures of a single foregoing disclosed embodiment. Thus, the claimsfollowing the detailed description are hereby expressly incorporatedinto this detailed description, with each claim standing on its own as aseparate embodiment of this invention.

It is also understood that the embodiments of the invention may bepracticed in the absence of an element and/or step not specificallydisclosed. That is, an inventive feature of the invention may beelimination of an element.

Accordingly, while the various aspects of the particular embodiments setforth herein have been described in detail, the present invention couldbe subject to various changes, substitutions, and alterations withoutdeparting from the spirit and scope of the invention.

What is claimed is:
 1. A packet handling system, comprising: at leastone main processor coupled to a system bus and to a memory bus by amemory controller, a plurality of offload processors disposed onhardware modules directly connected to a memory bus and configured toprovide security related services on packets received over the memorybus by operation of the memory controller prior to redirection to themain processor; an arbiter disposed on at least one of the hardwaremodules and connected to each of the plurality of offload processors ofits hardware module, the arbiter configured to schedule resourcepriority for instructions or data received from the memory bus byoperation of the memory controller; a first virtual switch disposed onat least one of the hardware modules in communication with both the mainprocessor and the plurality of offload processors by operation of thememory controller using the memory bus, with the first virtual switchconfigured to receive memory read/write data over the memory bus, andfurther directing at least some memory read/write data to the arbiter;and a second virtual switch coupled to the system bus and configured toreceive the packets and direct the packets to at least the first virtualswitch by operation of the memory controller.
 2. The packet handlingsystem of claim 1, wherein the offload processors are configured toprovide support for signature detection by an intrusion preventionsystem as the security related services.
 3. The packet handling systemof claim 1, wherein the offload processors are configured to providesupport for encryption/decryption as the security related services. 4.The packet handling system of claim 1, wherein the second virtual switchcomprises a network interface card coupled to the system bus, withpackets being passed to the first virtual switch by the second virtualswitch and an input-out memory management unit (IOMMU).
 5. The packethandling system of claim 1, wherein the offload processors are connectedto module memory disposed on their respective hardware module, andfurther include a snoop control unit for coherent read out and write into the module memory.
 6. The packet handling system of claim 1, whereinthe offload processors are connected to module memory disposed on theirrespective module and configured to permit zero-overhead contextswitching between threads of a networked application.
 7. The packethandling system of claim 1, wherein the offload processors are connectedto module memory and a computational FPGA, all being mounted together onan in-line hardware module configured for insertion into a dual in-linememory (DIMM) socket.
 8. The packet handling system of claim 4, whereinthe network interface card includes single root IO virtualization(SR-IOV).